[原文]saned in sane-backends 1.0.7 and earlier calls malloc with an arbitrary size value if a connection is dropped before the size value has been sent, which allows remote attackers to cause a denial of service (memory consumption or crash).

-
漏洞信息

-
公告与补丁

The Sane project has released a new version to address this issue. SuSE Linux has released a security advisory (SuSE-SA:2003:046) and fixes to address this issue. Users who are potentially affected by this vulnerability are advised to apply appropriate fixes as soon as possible. Please see the referenced advisory for additional details regarding the application of applicable fixes. Fixes are linked below. Debian has released an advisory (DSA 379-1) containing fixes. Please see reference advisory for more details. Red Hat has released advisory RHSA-2003:285-03 to address this issue. Mandrake has released an advisory (MDKSA-2003:099) to address this issue. Please see the attached advisory for details on obtaining and applying fixes. Conectiva Linux has released an advisory (CLA-2003:769) to address this issue. Please see the attached advisory for details on obtaining and applying fixes. SGI has released an advisory (20031002-01-U) pertaining to their ProPack Linux distribution. The advisory has been released in response to a number of RHSA advisories, and includes a patch (Patch 10027) containing updated RPM packages relating to 22 different BIDS. Patch 10027 can be obtained via the following link: http://support.sgi.com/ For information regarding how to obtain individual RPM packages included in Patch 10027, please see the attached advisory. SCO has released an advisory (CSSA-2004-005.0) and fixes to address this issue for OpenLinux. See the referenced advisory for links to fixes. Red Hat has released an advisory (RHBA-2004:043-01) to obsolete Red Hat 9 fixes previously released with the RHSA-2003:278-01 advisory. Affected users are advised to apply the fixes as soon as possible. Further details regarding obtaining and applying relevant fixes is available in the referenced advisory. SANE SANE 1.0 .0

-
不受影响的程序版本

SANE sane-backend 1.0.11

-
漏洞讨论

SANE is prone to a memory management vulnerability that may potentially cause a denial of service. This could occur when saned is running as a service, for example, through a super-server such as inetd or xinetd. saned may incorrectly allocate memory when a connection is dropped when string input is expected. This could result in too much memory being allocated or a failure in the malloc operation.

It is not known if an attacker could exploit this issue to corrupt memory with attacker-supplied values, though this could make it theoretically possible to execute arbitrary code.

-
漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com &lt;mailto:vuldb@securityfocus.com&gt;.

-
解决方案

The Sane project has released a new version to address this issue.

SuSE Linux has released a security advisory (SuSE-SA:2003:046) and fixes to address this issue. Users who are potentially affected by this vulnerability are advised to apply appropriate fixes as soon as possible. Please see the referenced advisory for additional details regarding the application of applicable fixes. Fixes are linked below.

Debian has released an advisory (DSA 379-1) containing fixes. Please see reference advisory for more details.

Red Hat has released advisory RHSA-2003:285-03 to address this issue.

Mandrake has released an advisory (MDKSA-2003:099) to address this issue. Please see the attached advisory for details on obtaining and applying fixes.

Conectiva Linux has released an advisory (CLA-2003:769) to address this issue. Please see the attached advisory for details on obtaining and applying fixes.

SGI has released an advisory (20031002-01-U) pertaining to their ProPack Linux distribution. The advisory has been released in response to a number of RHSA advisories, and includes a patch (Patch 10027) containing updated RPM packages relating to 22 different BIDS.

Patch 10027 can be obtained via the following link:
http://support.sgi.com/

For information regarding how to obtain individual RPM packages included in Patch 10027, please see the attached advisory.

SCO has released an advisory (CSSA-2004-005.0) and fixes to address this issue for OpenLinux. See the referenced advisory for links to fixes.

Red Hat has released an advisory (RHBA-2004:043-01) to obsolete Red Hat 9 fixes previously released with the RHSA-2003:278-01 advisory. Affected users are advised to apply the fixes as soon as possible. Further details regarding obtaining and applying relevant fixes is available in the referenced advisory.